Analysis
-
max time kernel
187s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 17:31
Static task
static1
Behavioral task
behavioral1
Sample
ok.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ok.exe
Resource
win10v2004-20220414-en
General
-
Target
ok.exe
-
Size
257KB
-
MD5
7aa37e1425f48ca148f1a0b356162c89
-
SHA1
e3cce5e265d5db34f4a7586476bd42064f47484e
-
SHA256
acec132d40282e6e2af84055cd69e4e39914f516570f06dc69be30f06e3517f8
-
SHA512
44c813eb2ee619bb62d9b32af70d36b9b546c6b2ed6d5a1ddbcc2ec32798f0319916a3dc25b213bcca9234e2b12d6f532a47ee747411a6af5747c638e6090b3b
Malware Config
Signatures
-
GandCrab Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1576-55-0x0000000000400000-0x0000000000B17000-memory.dmp family_gandcrab behavioral1/memory/1576-59-0x0000000000400000-0x0000000000B17000-memory.dmp family_gandcrab behavioral1/memory/1576-60-0x00000000002E0000-0x00000000002F7000-memory.dmp family_gandcrab behavioral1/memory/1576-62-0x00000000002E0000-0x00000000002F7000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)
suricata: ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)
-
suricata: ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)
suricata: ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ok.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ok.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\scpslcujpzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ok.exe" ok.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ok.exedescription ioc process File opened (read-only) \??\A: ok.exe File opened (read-only) \??\B: ok.exe File opened (read-only) \??\I: ok.exe File opened (read-only) \??\M: ok.exe File opened (read-only) \??\E: ok.exe File opened (read-only) \??\F: ok.exe File opened (read-only) \??\J: ok.exe File opened (read-only) \??\R: ok.exe File opened (read-only) \??\U: ok.exe File opened (read-only) \??\G: ok.exe File opened (read-only) \??\K: ok.exe File opened (read-only) \??\N: ok.exe File opened (read-only) \??\O: ok.exe File opened (read-only) \??\S: ok.exe File opened (read-only) \??\W: ok.exe File opened (read-only) \??\Z: ok.exe File opened (read-only) \??\H: ok.exe File opened (read-only) \??\L: ok.exe File opened (read-only) \??\P: ok.exe File opened (read-only) \??\Q: ok.exe File opened (read-only) \??\T: ok.exe File opened (read-only) \??\V: ok.exe File opened (read-only) \??\X: ok.exe File opened (read-only) \??\Y: ok.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ok.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ok.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ok.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ok.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ok.exepid process 1576 ok.exe 1576 ok.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ok.exedescription pid process target process PID 1576 wrote to memory of 928 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 928 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 928 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 928 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 732 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 732 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 732 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 732 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 656 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 656 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 656 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 656 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1768 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1768 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1768 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1768 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1840 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1840 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1840 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1840 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1964 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1964 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1964 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1964 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 472 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 472 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 472 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 472 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1936 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1936 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1936 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1936 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 588 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 588 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 588 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 588 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1784 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1784 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1784 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1784 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1640 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1640 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1640 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1640 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 2040 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 2040 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 2040 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 2040 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1616 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1616 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1616 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1616 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1524 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1524 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1524 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1524 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1868 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1868 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1868 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1868 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1352 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1352 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1352 1576 ok.exe nslookup.exe PID 1576 wrote to memory of 1352 1576 ok.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ok.exe"C:\Users\Admin\AppData\Local\Temp\ok.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/272-106-0x0000000000000000-mapping.dmp
-
memory/276-112-0x0000000000000000-mapping.dmp
-
memory/440-81-0x0000000000000000-mapping.dmp
-
memory/472-69-0x0000000000000000-mapping.dmp
-
memory/536-90-0x0000000000000000-mapping.dmp
-
memory/552-119-0x0000000000000000-mapping.dmp
-
memory/588-71-0x0000000000000000-mapping.dmp
-
memory/608-118-0x0000000000000000-mapping.dmp
-
memory/632-80-0x0000000000000000-mapping.dmp
-
memory/644-83-0x0000000000000000-mapping.dmp
-
memory/656-65-0x0000000000000000-mapping.dmp
-
memory/732-64-0x0000000000000000-mapping.dmp
-
memory/752-82-0x0000000000000000-mapping.dmp
-
memory/792-96-0x0000000000000000-mapping.dmp
-
memory/832-120-0x0000000000000000-mapping.dmp
-
memory/896-99-0x0000000000000000-mapping.dmp
-
memory/900-91-0x0000000000000000-mapping.dmp
-
memory/912-115-0x0000000000000000-mapping.dmp
-
memory/928-63-0x0000000000000000-mapping.dmp
-
memory/948-94-0x0000000000000000-mapping.dmp
-
memory/1048-93-0x0000000000000000-mapping.dmp
-
memory/1060-107-0x0000000000000000-mapping.dmp
-
memory/1072-85-0x0000000000000000-mapping.dmp
-
memory/1096-121-0x0000000000000000-mapping.dmp
-
memory/1120-98-0x0000000000000000-mapping.dmp
-
memory/1160-89-0x0000000000000000-mapping.dmp
-
memory/1180-105-0x0000000000000000-mapping.dmp
-
memory/1244-79-0x0000000000000000-mapping.dmp
-
memory/1352-78-0x0000000000000000-mapping.dmp
-
memory/1364-116-0x0000000000000000-mapping.dmp
-
memory/1380-104-0x0000000000000000-mapping.dmp
-
memory/1476-100-0x0000000000000000-mapping.dmp
-
memory/1480-109-0x0000000000000000-mapping.dmp
-
memory/1484-103-0x0000000000000000-mapping.dmp
-
memory/1488-113-0x0000000000000000-mapping.dmp
-
memory/1496-122-0x0000000000000000-mapping.dmp
-
memory/1524-76-0x0000000000000000-mapping.dmp
-
memory/1548-102-0x0000000000000000-mapping.dmp
-
memory/1552-101-0x0000000000000000-mapping.dmp
-
memory/1572-84-0x0000000000000000-mapping.dmp
-
memory/1576-54-0x0000000000CAF000-0x0000000000CC9000-memory.dmpFilesize
104KB
-
memory/1576-60-0x00000000002E0000-0x00000000002F7000-memory.dmpFilesize
92KB
-
memory/1576-59-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/1576-58-0x0000000000CAF000-0x0000000000CC9000-memory.dmpFilesize
104KB
-
memory/1576-61-0x0000000000CAF000-0x0000000000CC9000-memory.dmpFilesize
104KB
-
memory/1576-62-0x00000000002E0000-0x00000000002F7000-memory.dmpFilesize
92KB
-
memory/1576-56-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/1576-55-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/1592-88-0x0000000000000000-mapping.dmp
-
memory/1596-87-0x0000000000000000-mapping.dmp
-
memory/1604-114-0x0000000000000000-mapping.dmp
-
memory/1616-75-0x0000000000000000-mapping.dmp
-
memory/1640-73-0x0000000000000000-mapping.dmp
-
memory/1672-95-0x0000000000000000-mapping.dmp
-
memory/1684-86-0x0000000000000000-mapping.dmp
-
memory/1756-108-0x0000000000000000-mapping.dmp
-
memory/1768-66-0x0000000000000000-mapping.dmp
-
memory/1784-72-0x0000000000000000-mapping.dmp
-
memory/1800-117-0x0000000000000000-mapping.dmp
-
memory/1816-111-0x0000000000000000-mapping.dmp
-
memory/1840-67-0x0000000000000000-mapping.dmp
-
memory/1868-77-0x0000000000000000-mapping.dmp
-
memory/1936-70-0x0000000000000000-mapping.dmp
-
memory/1960-92-0x0000000000000000-mapping.dmp
-
memory/1964-68-0x0000000000000000-mapping.dmp
-
memory/2008-97-0x0000000000000000-mapping.dmp
-
memory/2032-110-0x0000000000000000-mapping.dmp
-
memory/2040-74-0x0000000000000000-mapping.dmp